bruce schneier lanette dowell november 25, 2009. introduction “it is insufficient to protect...
Post on 19-Dec-2015
217 Views
Preview:
TRANSCRIPT
Introduction
“It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics” – Bruce Schneier in Applied Cryptography 1996
Security is a chainIt's only as secure as the weakest link.
Security is a process, not a product.
Part 1: The Landscape
Who are the attackers? What do they want? What do we need to deal with threats?
Part 1: The Landscape
Real life vs Digital World Criminal Attacks
“How can I acquire the maximum financial return by attacking the system?”
Privacy Violations Publicity Attacks Legal Attacks
Part 1: The Landscape
Who are the bad guys?HackersCriminals / Organized CrimeInsidersIndustrial EspionagePressTerroristsNational Intelligent OrganizationsInfowarriors
Part 2: Technologies
Networked-Computer SecurityMalicious Software
○ Viruses○ Worms○ Trojan Horses
Websites○ URL hacking○ Cookies
Etc…
Part 2: Technologies
Network DefencesFirewallsDMZ (Demilitarized Zones)VPN (Virtual Private Networks)Honey Pots and Burglar ZonesVulnerability ScannersEmail Security
Part 2: Technologies
Software ReliabilityFaulty codeBuffer overflows“Computers are stupid”
Secure HardwarePutting a $100K lock on a cardboard house
Part 3: Strategies
Given the requirements of landscape, and the limitations of the technology, what do we do now?
Part 3: Strategies
Threat Modeling and Risk AssessmentAttack Trees
Product testingVerification
More software complexity = more security risks (next slide, Windows…)
Part 3: Strategies
Lines of code in Windows: Windows 3.1: 3 million Windows NT: 4 million Windows 95: 15 million Windows NT 4.0: 16.5 million Windows 98: 18 million Windows 2000: 35-60 million
top related